def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\SharpDPAPI.exe"),
                    event.deep_get("OriginalFileName", default="") == "SharpDPAPI.exe",
                ]
            ),
            all(
                [
                    any(
                        [
                            " backupkey " in event.deep_get("CommandLine", default=""),
                            " blob " in event.deep_get("CommandLine", default=""),
                            " certificates " in event.deep_get("CommandLine", default=""),
                            " credentials " in event.deep_get("CommandLine", default=""),
                            " keepass " in event.deep_get("CommandLine", default=""),
                            " masterkeys " in event.deep_get("CommandLine", default=""),
                            " rdg " in event.deep_get("CommandLine", default=""),
                            " vaults " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            all(
                                [
                                    " {" in event.deep_get("CommandLine", default=""),
                                    "}:" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    " /file:" in event.deep_get("CommandLine", default=""),
                                    " /machine" in event.deep_get("CommandLine", default=""),
                                    " /mkfile:" in event.deep_get("CommandLine", default=""),
                                    " /password:" in event.deep_get("CommandLine", default=""),
                                    " /pvk:" in event.deep_get("CommandLine", default=""),
                                    " /server:" in event.deep_get("CommandLine", default=""),
                                    " /target:" in event.deep_get("CommandLine", default=""),
                                    " /unprotect" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
